[pve-devel] [PATCH] controllers: bgp: enable multihop on the underlay
px at jack.fr.eu.org
px at jack.fr.eu.org
Fri Apr 9 17:40:44 CEST 2021
Hello,
In Proxmox setup, there is no known serious issue
In contrary to "ttl security" (aka GTSM), multihop is not a security feature
I don't think there is a drawback to the proposed patch
However, disabling multihop when there is only one peer should also
works, so your proposal shall work as well
As you wish :)
Best regards,
On 4/9/21 3:50 PM, alexandre derumier wrote:
> Hi,
>
> any impact to enable it by default ?
>
> if user have only 1 peer for example ?
>
> maybe is is better to only enable it if we have more than 1 peer in the
> group ?
>
> and check that we use ebgp.
>
> something like:
>
> push @controller_config, "neighbor BGP ebgp-multihop 3" if $ebgp &&
> scalar @peers > 1;
>
>
> On 09/04/2021 14:21, Alexandre Bruyelles wrote:
>> From: Alexandre Bruyelles <git at jack.fr.eu.org>
>>
>> Multihop is required when the bgpd are running across
>> a pair of MLAG routers.
>> In such scenario, TCP trafic from Proxmox to router A
>> may pass through router B, which will decrease the TTL.
>>
>> Signed-off-by: Alexandre Bruyelles <git at jack.fr.eu.org>
>> ---
>> PVE/Network/SDN/Controllers/BgpPlugin.pm | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/PVE/Network/SDN/Controllers/BgpPlugin.pm
>> b/PVE/Network/SDN/Controllers/BgpPlugin.pm
>> index e5d8490..69436a0 100644
>> --- a/PVE/Network/SDN/Controllers/BgpPlugin.pm
>> +++ b/PVE/Network/SDN/Controllers/BgpPlugin.pm
>> @@ -85,6 +85,7 @@ sub generate_controller_config {
>> push @controller_config, "neighbor BGP peer-group";
>> push @controller_config, "neighbor BGP remote-as $remoteas";
>> push @controller_config, "neighbor BGP bfd";
>> + push @controller_config, "neighbor BGP ebgp-multihop 3";
>> }
>> # BGP peers
More information about the pve-devel
mailing list